Expect-CT - HTTP 编辑

The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements, to prevent the use of misissued certificates for that site from going unnoticed.

CT requirements can be satisfied via any one of the following mechanisms:

  • X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs
  • A TLS extension of type signed_certificate_timestamp sent during the handshake
  • Supporting OCSP stapling (that is, the status_request TLS extension) and providing a SignedCertificateTimestampList

When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.

Browsers ignore the Expect-CT header over HTTP; the header only has effect on HTTPS connections.

The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

Header typeResponse header
Forbidden header nameyes

Syntax

Expect-CT: report-uri="<uri>",
           enforce,
           max-age=<age>

 Directives

max-age

The number of seconds after reception of the Expect-CT header field during which the user agent should regard the host of the received message as a known Expect-CT host.

If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider this value to be either 2,147,483,648 (231) or the greatest positive integer it can represent.

report-uri="<uri>" Optional

The URI where the user agent should report Expect-CT failures.

When present with the enforce directive, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
enforce Optional

Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.

When both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.

Example

The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.

Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

Notes

Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement.

Browsers will not remember an Expect-CT policy, unless the site has 'proven' it can serve a certificate satisfying the certificate transparency requirements. Browsers implement their own trust model regarding which CT logs are considered trusted for the certificate to have been logged to.

Builds of Chrome are designed to stop enforcing the Expect-CT policy 10 weeks after the installation's build date.

Specifications

SpecificationTitle
Internet DraftExpect-CT Extension for HTTP

Browser compatibility

BCD tables only load in the browser

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:70 次

字数:5265

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文